Archive for March 2016

Pentagon Launches Month of Bug Finding

The Department of Defense is to launch a pilot program that will allow qualified participants to “Hack the Pentagon”.

Following the landmark announcement at the start of March that the Pentagon will allow researchers to test the department’s cybersecurity profile, the DoD has partnered with HackerOne to run a one month pilot during April and May which will allow hackers to target several DoD public websites, which will be identified to the participants as the beginning of the challenge approaches. Critical, mission-facing computer systems will not be involved in the program.

The Hack the Pentagon bug bounty pilot will start on Monday, April 18 and end by Thursday, May 12. Qualifying bounties will be issued by HackerOne no later than Friday, June 10. Individual bounty payments will depend on a number of factors, but will come from a $150,000 fund for the program.

Eligible participants must be US nationals and not on the Department of Treasury's Specially Designated Nationals list. Successful participants who submit qualifying vulnerability reports will undergo a basic criminal background screening to ensure taxpayer dollars are spent wisely. Participants will have the ability to opt-out of any screening, but will forgo bounty compensation.

US Secretary of Defense Ash Carter said that the initiative will put the department's cybersecurity to the test “in an innovative but responsible way”.

“I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot,” he said.

Katie Moussouris, chief policy officer at HackerOne told Infosecurity that this could influence other governments to follow and offer similar initiatives. She said “I absolutely expect that after watching a successful bug bounty pilot with the US government, other governments and other non-traditional software companies in other industries will embrace the wisdom and mutual benefits of working with hackers. Hack the planet!”

Commercial IoT Devices Vulnerable to Privacy Theft

With concerns over the security of the Internet of Things (IoT) continuing to make the headlines, Bitdefender has investigated a set of randomly selected but commonly used consumer IoT devices to gauge their security standard in the home, identifying four which are all vulnerable to privacy theft.

Once seen as a 'fad' by many in the industry, IoT is now very much a real thing that is not only significantly impacting our lives today, but expected to play an ever-growing role in the home over the coming years. With Gartner predicting that there will be as many as four billion internet-connected devices in use in households this year, the need to ensure they are secure is imperative.

After all, whilst IoT in the home can offer unprecedented levels of comfort and convenience, inadequate security means it also has the potential to lead to infringements on not only sensitive data like bank details, passwords and usernames, but also human rights issues.

Things like a person’s eating habits, sleeping patterns, location and lifestyle serve as prime examples of the type of information many household IoT devices survey and record, and although this type of fragmented data would not generally be considered high-risk, when you consider the possibility of cyber-criminals accessing and amassing such details to generate an invasive digital portrait of an individual, they take on a whole new light.

In the paper ‘The Internet of Things: Risks in the Connected Home’ Bitdefender researchers examined the way selected devices connect to the internet and to the cloud, as well as the communication between the device and corresponding mobile application. The findings show that the current authentication mechanisms of many IoT devices can easily be bypassed to expose smart households and their inhabitants to privacy theft, outlining specific concerns over the four following appliances:

LIFX Bulb: a smart LED bulb that allows users to control house lighting with the use of a smartphone app. Bitdefender found a hacker can target the device, reset it by switching it on and off five times and then use it to create a new hotspot which captures the username and password of the user’s Wi-Fi network.

MUZO Cobblestone audio receiver: this Wi-Fi audio receiver can be used to stream music from various sources via a home router, embedded with a Telnet service so it can be accessed remotely. With the use of basic password brute-forcing, researchers discovered the initial credentials of the device were set to admin/ admin. However, Bitdefender has pointed out that this issue has been partially fixed.

LinkHub: another smart lighting appliance using an adapter and two bulbs that can be managed remotely. A lack of authentication mechanisms means data is sent in plain text, allowing attackers to obtain the username and password of a Wi-Fi network.

WeMo switch: this can remotely turn plugged-in electronics on or off and includes automation capabilities, but it is vulnerable to weak access point authentication which can leave users’ Wi-Fi credentials at risk.

Clearly then, current consumer IoT services are failing in terms of security and according to Matthew Aldridge, Solutions Architect at Webroot, there is much work to be done to put this right.

“It is not surprising this research has found that current authentication mechanisms can be easily bypassed,” he told Infosecurity. “It is the latest in a long line of such discoveries and we anticipate that huge numbers of devices have similar security and privacy issues.”

“We are still in the early days of household IoT devices and capability is foremost in the goals of the producers and purchasers of such equipment – security and privacy have a long way to go in order to catch up.”

For Aldridge, the best approach right now is to make users aware of the risks so they can take precautions. Meanwhile, “industry organizations and regulatory bodies are beginning to step up and continue with the formulation of standards to address many of these issues, but these initiatives will take time to come to fruition,” he added.

Nine in Ten UK Consumers Worried About Smart Home Privacy

Over 90% of UK consumers are concerned that their ‘smart home’ data could be hacked and used against them, according to a new study from Intel Security.

The security giant polled 1000 UK adults as part of a global report – Internet of Things and the Smart Home – which compiled the responses of 9000 consumers to better understand their attitudes to security and privacy in a world of embedded technologies.

The device which poses the biggest threat to UK respondents is a “virtual babysitter,” according to the research.

“When it comes to major cybersecurity risks in the smart home, privacy remains top of the agenda,” Intel Security’s EMEA CTO, Raj Samani, told Infosecurity. “As it stands, the privacy attacks that have occurred have been very isolated. However, the threat of devices gathering personal data with questionable approaches on consent is very real.”

He argued that consumers need to voice their concerns more publicly to ensure manufacturers design security and privacy in from the start.

“If we demand products that are built better at preserving our privacy and protecting us, then the manufacturers will have no choice but to do so,” Samani added.

However, while British consumers are clearly concerned about the potential privacy risks associated with the smart home, they also appear to be prepared to share data on their own terms.

In fact, UK adults appear to be more dubious than others around the world about the ability of smart technologies to transform their home life.

Nearly three-quarters (71%) said they don’t believe smart homes will be as commonplace in 2025 as smartphones are today, versus just 23% of global respondents.

Meanwhile, 77% claimed they’d be interested in buying smart technology for the home if they received monetary benefits in return, like tax credits.

That’s not to say UK consumers are completely blind to the benefits of the smart home.

Two-thirds said they thought the technology would help to lower gas and electricity bills, while 36% claimed it could reduce the time spent on household chores. Over a third (36%) said the best thing about living in a smart home would be spending more quality time with the family.

World Backup Day Returns as Ransomware Epidemic Bites

Industry experts have been urging businesses to use World Backup Day today to rethink how they can better protect their most valuable assets, especially in light of the ransomware epidemic sweeping the globe.

The annual global awareness raising campaign, which describes itself as an “independent initiative,” quotes 2013 figures from backup and storage firm Backblaze on its homepage claiming that 29% of users have never backed up their data, although this is a US-centric study and mainly consumer-focused.

Among organizations too there are still lessons to be learned, according to Rackspace director of technical services, Giri Fox.

“The rapid increase in the amount of data that consumers and organizations store is one of the biggest challenges facing the backup industry. Organizations aren’t always sure what data they should be keeping, so to make sure they don’t discard any important data they sometimes end up keeping everything which adds to this swell of data,” he argued.

“For many companies, a simple backup tool is no longer enough to make sure all these company assets are safe and available, they need support in keeping up with the sheer scale of data and to fix problems when a valuable file or database goes missing.”

For Trend Micro VP of research, Rik Ferguson, any backups need to be stored offline to ensure they aren’t at risk of infection by ransomware or other malware.

“Ransomware is an epidemic that doesn’t seem to be going away anytime soon. Attackers are constantly updating their creations, adding functionality and refining their technology, and that’s just one powerful – and potentially costly – reason why backups have taken on a new level of importance,” he told Infosecurity.

“It’s no longer simply about a catastrophic outage or failure. In fact, the new breed of ransomware is capable of spreading throughout a network, searching for valuable data and encrypting it beyond reach until the attackers demands are met.”

The message is getting through to some organizations, according to Rackspace’s Fox, who claimed his firm backs up 120 PB per month globally.

“One of the main challenges for us is that businesses don’t just want to back-up more data than ever before, they want it to be done quicker than ever before. Also, the process of doing so has become more complex than it used to be because companies are more conscious than ever of the compliance regulations they have to adhere to,” he explained.

“Fortunately, with the development of deduplication techniques, we are now able to backup unique sections of data rather than duplicating large pools continuously, which has sped-up the backing-up process.”

However, it’s not all about the technology, argued Bill Walker, technical director at training firm QA.

“The human element is equally – if not more – important. The best technology in the world won’t protect against the actions of an employee who, through an innocent mistake, opens the door to attack,” he added.

“So improve your cyber protection with regular staff training, just like an organization provides physical protection with a high-vis jacket and hard hat.”

Moonpig Hacker Escapes Jail Term

A 22-year-old UK hacker whose cyber-attack on greetings card giant Moonpig is said to have cost the firm £150,000 has escaped with a suspended jail sentence and a fine of just £200.

Anthony Luke Fulton, of Cleator Moor in Cumbria, was ordered to pay £100 in compensation to the firm and a £100 ‘victim surcharge’ as well as complete 100 hours’ unpaid work, after being handed down a 16-month prison sentence, suspended for two years.

Fulton had already admitted at an earlier magistrate’s hearing to three charges of causing a computer to “perform a function with intent to enable or secure unauthorized access,” according to local reports.

Over a four-day period in July 2015 he’s said to have managed to access the records of around 18,000 customers.

The intrusion apparently forced the firm to suspend its site in the US, UK and Australia while an investigation was carried out, leading to a significant amount of lost sales.

In the end, he's said to have been traced via an IP address which led investigators to Fulton's girlfriend's home.

On 26 July Moonpig was forced to issue a statement revealing that customer email addresses, account balance and passwords had been “illegally published.”

However, it claimed that said data was actually obtained from third party sites.

“This data was then used to access the account balances of some of our Moonpig.com customers,” it added. “As a reminder, we do not store full credit card information ourselves so this data was not accessible in any event.”

Sentencing Fulton at Carlisle Crown Court on Wednesday, judge Barbara Forrester apparently claimed: "I am limited in that I can't order any more [compensation] much as I would like to."

She has, however, ordered that his computer be modified so that Fulton can’t use privacy settings in his browser to hide his activity, or delete his web history.

Some will argue that Fulton’s sentence doesn’t fit the crime, given the amount Moonpig lost due to the incident.

However, this is not the first time the firm’s IT security posture has been called into question.

In January last year Moonpig was widely criticized by security experts after it emerged the firm had failed to fix a vulnerability for over 16 months which could allow hackers to steal personal details from its customers.

It’s not clear what motivated Fulton to carry out the attack on the greeting card giant.

Cyber-Upgrades Coming for Trident Nuclear Missile Program

The US Navy has announced American and British Trident missiles will be upgraded because there is “legitimate concern” about threats from the cyber-realm.

The announcement comes as both nations pour billions into cybersecurity.

The UK and the US share a pool of submarine-launched Trident II D5 missiles (but design and build their payloads of nuclear warheads separately). Britain’s 58 missiles are carried by the Royal Navy’s four Vanguard class nuclear submarines; each can be fitted with up to 12 warheads that can strike different targets with a range of 7,500 miles.

None of the nuclear systems are connected to the internet, and are protected by an air gap. But, as the recent revelation of an airgap-jumping USB trojan shows, malware authors are finding a way around that protection.

“Now that cyber has become even more important in our national security, there will be even more requirements. In our modern era, cybersecurity threats are a legitimate concern,” said John Daniels, a spokesman for the US Navy’s nuclear program, as reported by the Telegraph.

The software security work will be carried out by BAE Systems, which carries out maintenance of the missiles.

A Ministry of Defence spokesman told the paper: "The deterrent remains safe and secure. We take our responsibility to maintain a credible nuclear deterrent extremely seriously and continually assess the security of the whole deterrent programme and its operational effectiveness, including against threats from cyber.”

Colin Cassidy, security consultant for IOActive, told Infosecurity that "It's a step in the right direction for the UK Government to protect its nuclear weapons against cyber-attacks. However, it shouldn’t stop with just this—it needs to be looking at defending its critical infrastructure against cyber-attack as well. More needs to be spent on that, too, as it does seem as though it is defending its means to deter, rather than defending its means to be."

Hackers Mount Coordinated Attack on Prestigious US Law Firms

In what appears to be a coordinated attack, hackers have infiltrated three computer networks at some of the country’s most prestigious law firms.

Federal investigators think that the perpetrators could have been after confidential data for the purpose of insider trading, according to a person familiar with the matter.

According to reports, those firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations. Cravath said that the incident was a “limited breach” last summer, and that it is “not aware that any of the information that may have been accessed has been used improperly.”

The source went on to say that the Manhattan US attorney’s office and Federal Bureau of Investigation are working together on this, and that the probe is in its early stages.

Hacking for insider trading purposes is not unheard-of: In a high-profile case that broke last year, during a five-year period more than 150,000 press releases with earnings figures and other market-impacting corporate information were pilfered and analyzed prior to their release—offering market brokers an opportunity to make some very savvy investments, hours to three days ahead of the game.

“While most companies generate and store some confidential, proprietary information internally, law firms tend to solicit and collect highly valuable data from their clients nearly all the time,” said Tod Beardsley, security research manager at Rapid7. “This presents a unique challenge to those firms' IT and security teams: on the one hand, attorneys and staff need to be reachable and accessible from the outside, and on the other, they need to be careful with the data they collect.”

The challenge of keeping the flow of valuable target data is exacerbated by the fact that the most respected law firms tend to be the embodiment of "legacy systems."

“Cravath Swaine & Moore, like many of its peers, has a legacy measured not in years, but centuries,” Beardsley said. “These firms have had to layer decades upon decades of communications technology in its core IT infrastructure, while simultaneously keep up with the rapidly changing threat landscape.”

MedStar Health Hit by Possible Ransomware Attack

Yet another healthcare organization has apparently been hit with ransomware. MedStar Health, a large healthcare provider in Maryland and Washington D.C., was forced to disable their network this week after malware infected several systems.

MedStar operates 10 hospitals and more than 200 outpatient offices. According to a statement from MedStar, early Monday morning, their network was "affected by a virus" preventing access to their systems. For now, employees are using pen and paper to get their work done.

"MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” it said in a statement. “We are working with our IT and cybersecurity partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning. We have no evidence that information has been compromised. The organization has moved to back-up systems [and] paper transactions where necessary.”

A hospital staffer told theWashington Postthat a pop-up appeared on a computer warning of infection and demanding payment. But officially, MedStar has not confirmed a ransomware infection.

In the last few weeks, ransomware has hit a number of medical organizations including the Hollywood Presbyterian Medical Center, the Chino Valley Medical Center, the Desert Valley Hospital, and Methodist Hospital in Henderson, Ky.

“Seculert's customers in the healthcare segment have told us repeatedly that ransomware is a major concern for them given the nature of the data they manage,” said Richard Greene, Seculert CEO, via email. “Losing access to it can be more than an annoyance, it can actually affect the speed and quality of care they are able to provide.”

Greene noted that the ultimate doomsday scenario has yet to happen—but that IT should be aware of it.

“Their biggest worry is getting attacked by ransomware with the ability to jump from an endpoint to a backup repository,” he said. “Then they’d be truly vulnerable. We haven’t seen this type of attack yet, but the sophisticated providers recognize it’s only a matter of time before they do see this kind of attack. So, they believe that it’s critical to have effective prevention and detection solutions in place before that happens.”

Toy Giant Mattel Narrowly Escapes Phishing Scam

Los Angeles-based toy manufacturer Mattel was recently caught up in a phishing scam which saw the firm transfer the tidy sum of $3 million to Chinese cyber-criminals.

Luckily for Mattel, whose brands include Hot Wheels, Barbie and WWE, although the hackers were cunning enough to attempt the con during a period of corporate change for the company with new CEO Christopher Sinclair only just officially taking charge, they did not account for one significant detail which turned out to be the saving grace for the toy giant – a bank holiday.

The scammers targeted an unnamed executive with the simple phishing email which appeared to have come from Sinclair, but as is often the case, it was bogus. The message requested the funds to be wired to the Bank of Wenzhou for a vendor and as the exec, a high-ranking manager herself, thought she had complied with company protocol she carried out the transfer.

It did not become apparent that something was wrong until hours later, by which time the money was already on its way to China and Mattel’s efforts to stop the process appeared to be in vain.

However, because the transfer took place on a bank holiday, in this case Good Friday, the money could not be retrieved on the day and the hackers had to wait until the bank reopened on the following Monday. This slice of luck bought Mattel precious time to work with Chinese authorities to recover the cash before the perpetrators could claim the spoils.

Some good fortune for the toy company on this occasion then, but that does not mask the fact that phishing scams like this are now not only all too common, but more worryingly, too easy for hackers to carry out.

Companies have to realize that social engineering is a major issue that can be used to bypass even the very strongest, sophisticated security infrastructure.

In a statement to Infosecurity Quentyn Taylor, Director of EMEA Security at Canon, explained that we are now seeing a huge rise in phishing attacks because the cost of execution is low, whereas the possible payouts can be huge – and to successfully defend them companies must ensure they couple sufficient processes with employee education.

“Successful companies don't simply tell executives what they should do to keep company data safe, they exercise them in detecting and responding to incidents – not just once but continually," he said.

"Mindset is harder, but it requires making sure that executives and employees understand that it's OK to question and check if they are suspicious. The attackers depend on staff blindly following orders, being unable to pick up the phone to confirm – by changing this mind set, employees become a much harder target, helping to keep your company data secure.”

Similarly Mark Logsdon, cyber resilience expert at AXELOS, warns that if companies do not implement widespread changes we will continue to see more and more organizations fall victim to similar socially-engineered attacks.

“We need to understand a little about why phishing attacks are used by criminals,” he argued, saying they use simple techniques that manipulate “very basic instincts” which lead to “momentary lapses in concentration.”

“It’s important therefore to make everyone in the organization aware about what a phishing email is, what it does, what it looks like and importantly what one can do to prevent them from working. To be effective the messages contained in the awareness material must be engaging, relevant and importantly, ongoing,” he added.

FBI Refuses to Reveal Details of 'Torpedo' Sting

The FBI has refused to comply with a judge’s request to reveal how it uncovered the identities of Tor users suspected of visiting a child pornography website.

The court order came in a case involving Seattle teacher Jay Michaud, who is one of those alleged by prosecutors to have visited dark web site Playpen.

In February 2015, the FBI managed to seize the site’s servers and kept them running with the addition of some unnamed software – dubbed a 'Network Investigative Technique' (NIT) – which is thought to have exploited a flaw in Tor to reveal the IP addresses of visitors.

Michaud’s lawyers had demanded more details of how the Feds did this in case they exceeded the scope of the warrant granted by a court to conduct the sting operation, and to check if their client has been identified correctly.

In the new court filing (via The Register), the FBI special agent, Daniel Alfin, argues that revealing the nature of the exploit will not provide the information sought by the defense team.

“Discovery of the exploit would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud’s computer, not what it did once deployed,” he writes.

“Knowing how someone unlocked the front door provides no information about what that person did after entering the house. Determining whether the government exceeded the scope of the warrant thus requires an analysis of the NIT instructions delivered to Michaud's computer, not the method by which they were delivered.”

Alfin goes on to clarify that the identifier assigned to Michaud’s NIT results was definitely unique – and no duplicates were generated.

Alongside this declaration by Alfin, the FBI is reported to have filed a sealed brief explaining why it is resisting the judge’s requests to reveal its exploit code.

If those exploit details were made public then it’s pretty certain that any related bugs would soon be fixed by Tor.

The news comes as the FBI’s high profile courtroom battle with Apple took another twist this week.

Now that the Feds have apparently found a way of brute forcing the iPhone of San Bernardino shooter Syed Farook, it is Apple that wants information – namely how they did it.

It’s thought an unnamed third party firm may have helped the agency in its efforts, but so far it has remained tight-lipped on its methods.

Apple will be worried that this represents a significant security risk to its users, especially if the details fall into the wrong hands.